1. Customer tools for the road ahead
SHIFT YOUR LANDESK
INVESTMENT
INTO OVERDRIVE
Learn more at
Momentum.LANDESK.com

2. C a r s o n P l a t e r o
C o n s u l t a n t
L A N D E S K P r o f e s s i o n a l S e r v i c e s
LANDESK Patch Manager 2016

3. Agenda
 What’s new in LANDESK Patch Manager 2016
 Getting started
 How we scan and remediate
 Understanding the Patch and Compliance Tool
 Configure devices
 Managing Security Content
 Scanning devices
 Patching devices

4. LDMS Improvements to Patch Manager - Summary
 Improved Charts
 Improved Patch Definition Group
options
 Ability to provide Tags for Definitions
 Integration with Rollout Projects tool
 Improved Icons

5. Dashboards and charts
 Double-click to create a related
query
 Chart colors – can choose from
different themes
 Display the dashboard in a
separate window
 Copy to clipboard as an image

6. Download updates improvements
 Apply group settings by Definition Type
and Severity
 Actions available:
 Assign Scan Status
 Assign Autofix Status
 Add to Custom Groups
 Assign Tags
 Add to rollout projects

7. Definition Tagging
 Add one or more tags to patch
definitions
 Add specifics tags based on
Download Updates Definition
group filter criteria
 Integration with Rollout Projects
Tool

8. LANDESK Patch and Compliance
“Why”

9. Main tasks for configuration Patch and Compliance
o Configure the LANDESK Agent Security and Compliance Settings
o Download vulnerability definitions from a LANDESK Content Server
o Create a scan job to detect vulnerabilities in your environment
o Use the scan results to determine what you are going to patch in your
environment
o Download patches for detected vulnerabilities
o Repair detected vulnerabilities by installing patches to affected devices
o View reports to see patch status and repair history

10. Managing Content
What is the definition of a definition?

11. Understand LANDESK Content types
o Linux: Security Threats and Vulnerabilities
o Mac: Security Threats, Antivirus (Kaspersky, LANDESK, McAfee and Symantec)
o Windows:
o Antivirus updates for LANDESK Antivirus and for 3rd party Antivirus vendors.
(Avast, AVG, Avira, Bitdefender, Bullguard, eScan, ESET, eTrust, Gdata, Kaspersky, McAfee,
Microsoft Forefront, Windows Defender, Panda, Shavlik, Sophos, Symantec, Trend Micro, and Vipre)
o Driver Updates: Dell Poweredge Servers, HP Client, Lenovo Think Client, Lenovo Thinkserver, Microsoft
o Applications to block (Malware, Hacking Tools, Etc)
o LANDESK File Reputation
o Microsoft Windows Security Threats
o Microsoft Windows Spyware
o SCAP (Secure Content Automation Tool)
o Software Updates (Intel, LANDESK, Lenovo, Thinkvantage)
o Vulnerabilities
(7-zip, Acro Software, Adobe, AOL, Apple, Box, Cisco, Citrix, Filezilla, Foxit, GlavSoft Google, HP, IAC,
IBM, ICQ, IDM, Intel, LibreOffice, McAfee, Microsoft, Mozilla, Notepad++, Nuance, Nullsoft, OpenOffice,
Opera, Oracle, Pidgin, Qualcomm, RealNetworks, RealVNC, Skype, Sun, TechSmith, The Gimp Team,
TortoiseSVN, TightVNC, Trend Micro, UltraVNC, VideoLAN, VMWare, Winzip, Wireshark, Xmind, Yahoo)

12. Content scanning and remediation behavior

13. Selecting and downloading content types
Vulnerability Content
 LANDESK Content comes in different categories.
 A regular schedule should be configured to
download Security and Patch content at regular
intervals.
 Different content types can have separate download
tasks.

14. Managing downloaded content
Many customers patch monthly.
Definition Group Setting can be used to sort definitions into groups and rollout
projects.

15. New distribution group settings options in LDMS 2016
LDMS 2016 offers great flexibility in organizing downloaded content automatically
 New tabbed interface in the Download Updates tool
 Filter
 Scan
 Autofix
 Groups and Tags
 Rollout Projects

16. Patch Group Examples
 0 New Patches
 1 Pilot
 Baseline
 Year

17. “I’ve downloaded content…
Now what?”

18. Which Patches Should I Deploy?
 11,000+ Windows Vulnerabilities
 Severity
 Microsoft NA – carefully review before deploying
 Use Filters
 Suffixes
 _Manual
 _Upgrade
 _Fixit
 _Detect_Only
 _All_Updates

19. Patch Definition Review
 Replaced By
 Repairable
 Detected
 Multiple Versions
 Upgrade
 Product

20. Disable Replaced Rules
 Check once in a while
 Scan – Replaced or Partial Replaced

21. Agent Configuration
Agent Settings

22. Configuring Agent Settings
The Agent Configuration settings are in the Agent Configuration Tool
These settings control the behaviors of the settings when scanning and repairing vulnerabilities on the client.
These settings include such things as whether or not the user will see the Vulnerability Scanner interface,
options to defer repairs, reboot behaviors, scanning and repair schedules, etc.

23. Patch Maintenance
 Meaningful Name
 State AND Time
 Windows Only
 Scan and Download
Now
 RepairReboot
in Window
 Reboot Settings
Must Agree

24. Pre-Repair / Post-Repair
 Succeeded=true
 Or Zero (0)
 Message=“Hello World”
 If running script depends on file being there or access to
share

25. Scanning and Repair
Getting the work done

26. Scanning Devices
Scanning of your devices can be started in several ways:
1. Right-click computer and select “Patch and Compliance scan now…”
2. Regular schedule driven by the local scheduler on the client
3. Running Vulscan.exe (Vulnerability scanner) from the command line
4. As part of a repair by right-clicking on a group and clicking “Repair”
(In this case the scan and the repair will both be run in succession)
Typically vulnerability scans should be run daily.

27. Reviewing scan results
After scanning your environment, those vulnerabilities that have been
found will show up in the Detected section of the tree.
You can then take action on them by multi-selecting and then choosing
right-click repair, or drag them into a group, etc.

28. Repairing vulnerabilities
 Repairing vulnerabilities can be initiated in several ways
including the following:
 Right-click definitions and choose “Repair” (Up to 100 at a time)
 Right-click a group and choose “Repair” (Can be greater than 100)
 Autofix (or Autofix by Scope)
 As part of a rollout project

29. Repair by Group
 Dynamic
 Can contain more than 100 definitions
 Will repair definitions at that level or below
 Useful for repairing baseline plus recent tested patches

30. TroubleShooting
What to do if reboot and retry fail

31. Clean Repair History
 Right-Click Device -> Security and Patch Information
 Clean/Repair History
 Lookup Wusa.exe and MSIExec errors
 Patch Download – make sure core has downloaded patch

32. Reboot and Try Again (Why!)
 Detection is often based upon file scanning
 Without a reboot old file is still in place
 If after a reboot a definition is still detected, try running it
manually on the workstation.
 Possibly a more useful error message will display

33. Custom Definitions
Plagiarism is Good

34. Custom Definitions Made Easy
 Take what’s there and make it new again!
 Right Click Definition
 Clone -> Change -> Save

35. Custom Variables
 Change Install Behavior of
Patches
 Close Browsers and Apps
 Used by Install Actions

36. Query Filter
 Only Used in Custom Defs
 Target Double Check
 Does Hit Database

37. Stop Processes
 Distribution and Patch Setting must be set to Kill Processes

38. Install Actions
 Use
 Reuse
 Change

39. Hands on Lab

40. Thank you
Your feedback is welcome. Please fill out the survey
for this session in the interchange 16 app.